What is our primary use case?
All in-house developed code or a third-party developed code on our behalf is scanned via Fortify on Demand. Any results for unsecure code, vulnerabilities, or issues are passed back to the development teams for remediation.
How has it helped my organization?
Secure code is an important part of our day-to-day development activities. So, having code out there gives us some reasonable assurance that it is not vulnerable or open to attack. It certainly makes our overall risk posture better.
What is most valuable?
Being able to reduce risk overall is a very valuable feature for us.
What needs improvement?
They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it.
What do I think about the stability of the solution?
It is a very stable product. They are constantly updating and keeping it up to date. There are no issues.
What do I think about the scalability of the solution?
It is extremely scalable and flexible. We scan very small applications from our in-house innovations team and all the way up to millions of lines of code from our e-commerce teams. We currently have about 50 users, but the number varies. Some development teams are fairly small, and some are fairly large.
How are customer service and technical support?
Technical support is very good. I've never had an issue that we couldn't resolve. If we have a scan running and we need it to finish sooner, they will allocate extra resources to it if we identify. We've had very good results with their tech support.
Which solution did I use previously and why did I switch?
This is the first solution that was implemented. I inherited this from somebody else. We are a government organization, so we have to do an RFP next year to renew. We'll see how it goes.
How was the initial setup?
The basic scanning is not very complex. When you get into more detailed scanning such as APIs, the level of complexity is moderate. However, when you are scanning that type of application, you usually have teams available that know what to do and what the configuration needs to be. We did our first scan within two days.
What about the implementation team?
It was implemented in-house. We have in-house expertise. Our strategy was basically just to stand it up and use the default settings initially with a pilot. We planned to do some pilot scans and get a good feel for the product, and then adjust accordingly on an ongoing basis.
I managed it for two years single-handedly. As we expand and add more and more applications, we are adding extra hands. If we're looking at an FTE, equivalency is probably 0.5 to 0.75 people to manage it.
What was our ROI?
Looking for a return on investment on security is a little challenging. Some CIOs might argue one way or another. Some look at it as a cost, and some look at it as cost avoidance. I'm a security professional, and I look at it as cost avoidance. So, we're avoiding breaches, people being able to manipulate the code or cause any issues, and downtime. I always look at the positives of the product. If we eliminate any of the security risks or attack factors on these products before they go live, we're doing due diligence in making sure that the product stays up and running, especially for something like e-commerce.
What's my experience with pricing, setup cost, and licensing?
Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide.
What other advice do I have?
We plan to keep using this solution. Every year, we seem to have more and more code, and they add more and more features such as third-party library assessments, etc. Open source has become a big thing as companies try and save money, but with open source comes additional risk. This solution helps us mitigate the risk of those open-source components. So, we're using this more and more as we move forward.
The important part of this is automation. There are lots of automation options for this tool. Initially, trying to do it manually was a great start, but we kind of got lost a little bit along the way of implementing it. We should have done more automation right from the beginning, made it our standard, and created the policies. Sometimes, you put the cart before the horse. The tool does a great job, and you get lost in the results. It does provide good results and good information, but I think it's very important to have those policies and procedures in place right up front with this product. It will save you a lot of time in the end.
The biggest lesson that I have learned from using this product is that even if you have the best people, there are always vulnerabilities and things that will surprise you.
I would rate Micro Focus Fortify on Demand a nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.